September 2016 Archives

September 7, 2016

FTC Responds to EPIC's Complaint about WhatsApp

The Federal Trade Commission has responded to the EPIC and Center for Digital Democracycomplaint about WhatsApp's plan to transfer user data, including verified phone numbers, to Facebook. The FTC stated that it prohibits companies from engaging in unfair and deceptive practices and will enforce its 2012 Consent Order with Facebook. The FTC letter also acknowledged that the EPIC-CDD complaint “contains allegations regarding statements WhatsApp has made about how it limits the use of mobile phone numbers or other personally identifiable information." The FTC said it will "carefully review" EPIC’s complaint. EPIC and CDD wrote that WhatsApp's plan to transfer user data to Facebook for user profiling and targeted advertising - without first obtaining users' opt-in consent - contradicts numerousFTCstatements and violates Section 5 of the FTC Act. EPIC and CDD previously warned the Commission that it must protect the privacy interests of WhatsApp users following the acquisition by Facebook.

Tags:

House Report Criticizes OPM Handling of Massive Data Breach Last Year

In a press release, the House Oversight and Government Reform Committee released a report criticizing the Office of Personnel Management’s handling of the data breach in 2015. The breach compromised the information of over 21.5 million individuals, including federal employees, their families and friends. The report concluded the OPM breach was preventable and recommended numerous measures including less use of social security numbers. For many years, EPIC has urged the Administration and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. EPIC has also supported new limits on the collection and use of the SSN. This year EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election.

EPIC and a coalition of consumer privacy advocates have sent a letter to the Federal Communications Commission in response to industry demands to further weaken the FCC's proposed broadband privacy rules. The groups rejects efforts by Internet Service Providers to exempt anonymized consumer data from the privacy rules and to require opt-in consent only for sensitive information. The consumer groups also oppose mandatory arbitration and “pay-for-privacy” plans that would require consumers to pay fees for basic privacy safeguards. EPIC has called the FCC's proposed privacy rules a "modest first step" and repeatedlyargued that the Commission can and should go further to "address the full range of communications privacy issues facing US consumers."

Tags:

September 8, 2016

Pokemon GO developer Niantic has responded to Sen. Al Franken’s request for information concerning the company’s data practices. Sen. Franken’s letter, sent in early July, asked Niantic to clarify the scope, purpose, and necessity of its data collection practices. Niantic’s response letter indicates that it “collects and stores” user location data to place and position users on the game’s map, but fails to explain why and for how long location data is stored. Franken also directed the company to provide a current list of the "third party service providers" with whom user data is shared. Niantic’s letter confirms that it hires third parties to provide a variety of services, but does not specifically identify any of these companies. Privacy officials in Canada, Europe, and Asia, have begun investigations of Niantic, which is tied to the Google company Alphabet. The Niantic CEO led the Google project that captured private communications in more than 30 countries around the world. The initial Pokemon Go release provided Niantic full access to the user's Google account. EPIC sent a letter to the FTC urging the Commission to investigate the privacy risks posed by Pokemon GO, Niantic’s data collection practices, and its ties to Google.

Tags:

According to an upcoming report by the President’s Council of Advisors on Science and Technology, much of the forensic analysis in criminal trials is not scientifically valid. The report, to be released this month, attacks the validity of analysis of evidence like bite-marks, hair, and firearms. The "lack of rigor in the assessment of the scientific validity of forensic evidence is not just a hypothetical problem but a real and significant weakness in the judicial system,” wrote the council. The Senate Judiciary Committee held hearings in 2009 and 2012 to discuss the need to strengthen forensic science, and Sen. Patrick Leahy (D-VT) introduced a forensic reform bill in 2014. EPIC has pursued FOIA requests on the reliability of proprietary forensic techniques. EPIC also filed a brief on the reliability of novel forensic techniques in the Supreme Court case Florida v. Harris.

Tags:

September 9, 2016

Federal Agencies Unable to Measure FOIA Litigation Costs

In a new report the Government Accountability Office found that the Justice Department and other federal agencies are unable to determine how much they spend on defending Freedom of Information Act lawsuits. The watchdog agency found that of the 112 FOIA lawsuits decided between 2009 and 2012 in which the requester prevailed, agencies were able to calculate costs for only half, and estimated $1.4 million in costs. The GAO—which conducted the investigation in response to a request from Senators Chuck Grassley (R-IA) and Patrick Leahy (D-VT) of the Senate Judiciary Committee—urged Congress to explore the possibility of requiring agencies to track FOIA litigation costs. EPIC routinely litigates FOIA cases against federal agencies, and is currently fighting to obtain secret Inspector General reportssurveillance oversight reports, and details on the government’s largest-ever phone surveillance program.

Tags:

September 12, 2016

EPIC Republishes "Privacy and Human Rights," Most Comprehensive Survey of Privacy Law and Practices Ever

EPIC has published the first digital edition of Privacy and Human Rights: An International Survey of Privacy Laws and Developments. The report by EPIC and Privacy International provides an overview of key privacy topics in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Topics include biometric identification, Internet advertising, and location privacy. Over 1,100 pages, almost 6,000 footnotes, and more than 300 contributors. Now available online.

Tags:

EPIC Prevails in FOIA Lawsuit for Government Privacy Assessments

EPIC has prevailed in EPIC v. DEA, a case involving a Freedom of Information Act request for privacy assessments the federal agency is required by law to perform. EPIC sued the Drug Enforcement Agency after the agency failed to respond to EPIC’s FOIA request. EPIC subsequently challenged the adequacy of the agency’s search. Today, the federal judge concluded that although the initial search was adequate, “EPIC has raised a substantial doubt as to the sufficiency of the DEA’s supplemental search.” The Court ordered the agency to conduct an additional search or explain why an updated search is not likely to produce additional records. EPIC pursued the DEA FOIA case after the disclosure of “Hemisphere,” perhaps the largest telephone record collection program in the world.

Tags:

FTC Seeks Comments on the "Disposal Rule" for Consumer Data

The Federal Trade Commission is seeking public comments on the "Disposal Rule." The Disposal Rule requires that companies delete consumer data and to protect against unauthorized use of the data. The Commission seeks comment on a variety of issues including cost-benefits analysis and industry compliance. EPIC supported the implementation of the Disposal Rule in 2004 and continues to advocate for data protection measures. EPIC has also promoted Privacy Enhancing Techniques that minimize or eliminate the collection of personal information. Identity theft continues to be the top consumer complaint reported to the Commission.

September 14, 2016

A federal appeals court has ruled that LexisNexis violated the Fair Credit Reporting Act by selling background reports that wrongly included criminal convictions for innocent individuals. EPIC filed an amicus brief in the case, highlighting the failure of crediting reporting agencies to adopt reasonable procedures to ensure accuracy. EPIC said that it is not enough to follow “industry standards” if inaccurate reports still result. The court found that Lexis was negligent because it failed to “follow reasonable procedures to assure maximum possible accuracy” of the information.

Tags:

September 19, 2016

White House Updates Guidance on Federal Agency Privacy Practices

The Office of Management of Budget released a memorandum that requires the head of each agency to “assess the management, structure, and operation of the agency’s privacy program.” The OMB memo provides updated guidance, requiring the designation of a Senior Agency Official for Privacy with appropriate authority to implement the agency’s privacy program, including ensuring compliance with the Privacy Act. In 2015, a breach of records at the OMB, impacted more than 22 million federal employees, family members and associates. EPIC has filed numerous comments with agencies across the federal government criticizing their lack of compliance with the Privacy Act. EPIC has also submitted amicus briefs to the US Supreme Court concerning the federal Privacy Act.

Tags:

Policy Commission Seeks Public Comment

The Commission on Evidence-Based Policymaking has issued a request for comments on "strategies to increase the availability and use of government data." Congress established the Commission to study whether and how data across the federal government could be combined for policy research while protecting privacy. The Commission seeks comment on several issues including privacy risks, access to data, and whether a single clearinghouse should be created. In testimony before the Commission, EPIC President Marc Rotenberg emphasized safeguards for personally identifiable information, following EPIC’s work on Re-identification and The Census and Privacy. Comments to the Commission are due on November 14, 2016.

September 21, 2016

EPIC has sent a letter to the House Energy and Commerce Committee in advance of the hearing on “Modernizing the Telephone Consumer Protection Act.” The telemarketing law bars telemarketers and robocallers from contacting consumers by phone fax, or text without prior consent. EPIC urged the Committee to ensure that an update to the law “protects consumers from unwanted commercial communications.” EPIC said legal rights should be “robust, enforceable and minimally burdensome for consumers." Earlier this year, EPIC filed an amicus brief in support of strengthening TCPA protections for consumers. EPIC has also testified before Congress about the telemarketing law and submittedmanycomments concerning its implementation.

Tags:

September 22, 2016

Pew Survey Finds Support for New US Privacy Laws, Limits on Data Retention

According to the Pew Research Center, there is broad support in the US for new legal protection for personal information. Pew found that “68% of internet users believe current laws are not good enough in protecting people’s privacy online; and 64% believe the government should do more to regulate advertisers.” Americans favor limits on how long the records of their activity are stored. Pew also found that “young adults are more focused than elders when it comes to online privacy,” and many have tried to protect their privacy, removed their names from tagged photos, and taken steps to mask their identity. According to Pew, 74% of Americans say it is “very important” to be in control of their personal information. EPIC maintains an extensive listing of polls concerning public attitudes toward privacy and has launched the Data Protection campaign to highlight privacy protection in the 2016 election.

Tags:

Consumer Groups Back Call for FTC to Investigate WhatsApp

More than a dozen US consumer organizations have asked the Federal Trade Commission to pursue the complaint EPIC and the Center for Digital Democracy filed about WhatsApp’s plan to transfer user data to Facebook. The EPIC-CDD complaint said that the changes to WhatsApp contradict promises to users that personal information would not be used for marketing purposes. The FTC has said "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises." The FTC responded that it would “carefully review” EPIC’s complaint. The consumer coalition letter urges the Commission to “fulfill its duty to protect consumer privacy, and to investigate and enjoin WhatsApp and Facebook’s proposed change in business practices.”

Tags:

Federal Judge Unseals Secret Surveillance Records

A federal judge has ordered the public release of 235 sealed records of government surveillance in response to a request from a journalist. EPIC has urged greater transparency of these "pen register and trap and trace" orders. As a result of a Freedom of Information Act lawsuit against the Justice Department, EPIC v. DOJ, EPIC made public formerly secret documents about the government’s use of pen registers to collect the records of private communications.

Tags:

Yahoo has announced that the personal data of at least 500 million users was breached in late 2014. The breach included users’ names, email addresses, telephone numbers, dates of birth, passwords and security questions and answers. For many years, EPIC has urged the Administration and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. This year EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election, calling it “the most important, least well understood issue” of this election.

Tags:

September 26, 2016

EPIC Tells Congress FTC Must Do More for Consumer Privacy

EPIC has sent a letter to the Senate Commerce Committee in advance of an oversight hearing on the Federal Trade Commission. EPIC explained that the FTC has not done enough to safeguard consumer privacy, citing the Commission's failure to enforce settlement agreements or to modify proposed settlements based on public comments. "The FTC’s failure to act in the face of mounting threats to consumer privacy and security could be catastrophic," EPIC warned. EPIC also proposed comprehensive consumer privacy laws to combat the growing threats of data breaches, identity theft, and financial fraud. Public opinion polls show broad public support for new US privacy laws.

Tags:

September 27, 2016

Secret Ballot At Risk in Maryland After Election Board Vote

The Maryland State Board of Elections has voted to certify Maryland’s online ballot-marking system for general use, threatening voter privacy. Voters using the online-ballot marking system would receive and fill out their ballot online, risking third party access their vote. Previously online ballot-marking was permitted only to enable participation by voters with disabilities. EPIC, Verified Voting, and Common Cause recently released The Secret Ballot at Risk: Recommendations for Protecting Democracy, a report highlighting the right to a secret ballot and how Internet voting threatens voter privacy. EPIC has a long history of working to protect voter privacy and election integrity.

EPIC has filed the opening brief in EPIC v. TSA II with the federal appeals court in Washington, DC, challenging the Transportation Security Administration's continued use of body scanners in US airports. TSA issued a regulation mandating the use of body scanners across the country more than five years after the court in EPIC v. TSA ordered the agency to "promptly" solicit public comments on the controversial body scanners program and nearly a decade after the agency deployed the scanners without public comments. EPIC told the court that the TSA's regulation entrenches body scanners over more effective less intrusive screening techniques, and undermines the legal right of passengers to opt out. EPIC wrote that the TSA has failed to "justify the use of invasive screening techniques, or to provide the public with an opportunity to respond to the denial of the passenger opt-out right."

Tags:

Germany Prohibits WhatsApp Data Transfer to Facebook

Germany’s privacy regulator has ordered Facebook to immediately stop collecting and storing user data from WhatsApp, and to delete all WhatsApp user data that has already been transferred. In a statement, German officials said that WhatsApp’s new data transfer policy constitutes “an infringement of national data protection law.” EU Competition Commissioner Margrethe Vestager has also opened an investigation into WhatsApp’s privacy changes, which contradict previouscommitments to users and regulators. EPIC filed a complaint with the FTC over the policy change, and more than a dozen consumer groups have backed these efforts. The FTC responded it would “carefully review” EPIC’s complaint. The FTC has previously stated, “When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises.”

Tags:

Senators Seek Answers About Yahoo's Massive Data Breach

Led by Senator Patrick Leahy, several senators sent a letter to Yahoo’s CEO, Marissa Mayer, seeking answers about the massive data breach that compromised the sensitive data of 500 million accounts. The Senators were troubled by the delay in breach notification, stating “We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week.” EPIC testified in support of strong data breach notification laws in 2009 and 2011 and urged Congress to ensure that users are “notified promptly” when personal information is wrongfully disclosed. EPIC launched “Data Protection 2016” to make privacy a campaign issue and recently filed an amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information.

Tags:

Massachusetts Court Upholds Privacy Rights of Cell Phone Users

The Massachusetts Supreme Judicial Court ruled today in Commonwealth v. White that the Fourth Amendment prohibits law enforcement from seizing a cell phone based simply on an officer’s suspicion that a cell phone may be used in a crime, finding that a warrant must be obtained prior to the seizure of the phone. EPIC filed an amicus brief in the case, arguing that "digital is different," and therefore the legal standard for warrantless searches of contraband in schools does not apply to cell phones. EPIC also explained the significance of Riley v. California, the recent Supreme Court that established a warrant requirement for searches of cell phones. The EPIC State Policy Project coordinated the EPIC amicus brief in the case.

Tags:

Nickelodeon Plaintiffs Ask Supreme Court to Hear Video Privacy Case

The plaintiffs in the In re Nickelodeon class action recently asked the Supreme Court to hear their case. In June, a federal appeals court rejected claims that Viacom and Google violated the Video Privacy Protection Act, holding that static IP and MAC addresses are not “personally identifiable information.” The opinion contradicted a ruling from a different federal appeals court which held that unique IDs are personally identifiable under the video privacy law. EPIC filed an amicus brief in the Nickelodeon case, explaining that Congress defined personal information broadly “to ensure that the underlying intent of the Act—to safeguard personal information against unlawful disclosure—is preserved as technology evolves.” The petition is C.A.F. v. Viacom, case number 16-346.

Tags:

September 30, 2016

India Joins International Opposition to WhatsApp Privacy Changes

India’s Deli High Court has orderedWhatsApp not to transfer to Facebook any user data that was collected prior to September 25, 2016, and to delete data of users who opted out of WhatsApp’s new data transfer policy prior to that date. Last month, WhatsApp announced it would begin transferring user data, including verified phone numbers, to Facebook in violation of previous privacypromises. Germany has also ordered Facebook to immediately stop collecting and storing user data from WhatsApp, and to delete all WhatsApp user data already transferred. EPIC filed a complaint with the FTC over the policy change, and more than a dozen consumer groups have backed these efforts. The FTC’s latest response to the consumer coalition emphasized “FTC staff’s position that companies must obtain affirmative express (opt-in) consent before making material, retroactive changes to privacy promises.” The FTC has previously stated, “When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises.”

Tags:

EPIC Opposes DHS Plan to Collect Social Media Identifiers

In comments to the Department of Homeland Security, EPIC urged the agency to drop a plan to review the social media accounts of people seeking to visit the U.S. EPIC argued that the proposal threatens important First Amendment rights, risked abuse, and would disproportionately impact against minority groups. Documents obtained by EPIC in 2011 in a Freedom of Information Act lawsuit revealed that the DHS gathered social media comments to identify individuals, including US citizens, critical of the agency and the government. A 2012 Congressional hearing, based on the documents obtained by EPIC, revealed bipartisan opposition to the original DHS social media monitoring program.